Hello! On Tue, Feb 18, 2020 at 12:58:26PM -0500, trstringer wrote:
> I am attempting to add CRL support to my nginx proxy, and it seems to not be > working due to the following error: > > client SSL certificate verify error: (3:unable to get certificate CRL) while > reading client request headers > > From my research, this is because nginx senses a missing CRL. But here is > the structure of my client certificate (it has the full chain of > certificates in it): > > Certificate: > Data: > ... > X509v3 extensions: > ... > X509v3 Key Usage: critical > Certificate Sign, CRL Sign > > Certificate: > Data: > ... > X509v3 extensions: > ... > X509v3 CRL Distribution Points: > Full Name: > URI:http://uri1 > > Certificate: > Data: > ... > X509v3 extensions: > ... > X509v3 Key Usage: critical > Certificate Sign, CRL Sign > > Certificate: > Data: > ... > X509v3 extensions: > ... > X509v3 CRL Distribution Points: > Full Name: > URI:http://uri2 > URI:http://uri3 > URI:http://uri4 > > I take the following steps: > > 1. curl and convert output from url1 to PEM. > 2. curl and convert output from url2 to PEM. > 3. Concat the two outputs into the same file. > 4. Specify this file in nginx config for ssl_crl. > > But I get the above error. > > Any thoughts on what I'm doing wrong? My understanding is that I should be > able to safely ignore url3, and url4. You need CRLs for all certificates in the chain. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
